Logic error.. i think..

supermeera

Hello Everyone,

I have a script that I'm writing for a member's only section of my website. I've been writting and testing the script locally on my computer so that I can minimize errors once it's on the server. My computer is running Win 2000 Pro, IIS, CGI version of PHP v.4.3.2. My script is working fine on this computer, and giving me exactly the results I expected, that is it registers the session variables and allows me to move on to the appropriate sections. My hosting company's server is a Windows 2000 machine, running the CGI version of PHP v.4.3.0, but the script instead goes into a condition that I have if the query didn't return anything. Too see the phpinfo for the server, please visit, http://www.elluminata.com/php/phpinfo.php.

The code that I am using:

// start the session
session_start();
header("Cache-control: private"); //IE 6 Fix

$db = odbc_connect("db", "", "") or die("Couldn't connect to database.");

// Get the user's input from the form
$name = addslashes($POST['name']);
$password =md5($POST['pass']);

// Query the database to see if the username is present
$query = "SELECT count(id) FROM users where password='$password' AND username='$name'";
$result = odbc_exec($db, $query);
$num = odbc_result($result, 1);

echo $num;

if(!$num) {
// When the Query didn't return anything return user to the login form
// Will be implemented later
echo "Didn't work";
} else {
// Start the login session
$SESSION['name']=$name;
$SESSION['pass']=$password;
// Display the sssion information:
echo "Yes it worked!";
}

When I take the condition out in the query statement, the code works, but unfortunately not the way I want it (i.e. authenticating against username and password). If there is any suggestions about what is wrong I would really appreciate it.

ahundiak

Check that the majgc quote setting are the same on both machines. The addslashes could be the problem.
http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc

Your link did not work.

supermeera

Sorry the link is,
http://www.elluminata.com/php/phpinfo.php

By the way, I checked my local settings with that of my server settings, and both seem to be the same. The setting for each of th magic_quotes_* are the same.

ahundiak

Check For Errors:
odbc_exec($query);
if (odbc_error()) die(odbc_errormsg() . $query);
Just in case your query does have an error in it.

With magic_quotes_gpc ON you probably should not be using the addslashes. But I am assuming you are testing with a username with no slashes.

supermeera

Thanks Ahundiak for all your help, it did end up being the addslashes method. Once I took that out the method, the script worked fine on the server.

Do you know why it wouldn't work on the server but on my local machine? As far as I could tell the version of the code with the addslashes did work on my machine, so I'm a little confused as to why it wouldn't work on the server, even though the settings seemed to be the same.

Thanks again!

ahundiak

It is puzzling.

How did you transfer your data from the local machine to the host? I'm guessing that your local data actually has some extra slashes stored in the database and that they went away during the transfer process.

Or else your local database is mysql and the server database is mssql?

The whole add/strip slash thing is one of the few php "standards" that I don't really like. It's not standard sql. I always just strip em out and then double them up while posting.

supermeera

I transfered all files that I use via ftp in binary format, so that should keep the integrity of the data.

In terms of the database, I am using an MS Access database which I created on my local machine. and then transfered via ftp. When I populated the database I acutally used a script similar to this:

<?php
$db = odbc_connect("users", "", "") or die("Couldn't connect to database.");

// 1.  create the incrypted password using a md5 checksum so there is no
//     conflict with the odbc_exec function, we are also adding slashes to
//	   to the username
$user= addslashes('testingUsername');
$pass= md5('testingPassword');
$clear = 2;
$url = 'perl2.php';

// 2.  Insert a test username and password into the database
$query = "INSERT INTO users (username, password, clearance, homepage)" ;
$query .= "values ('$user', '$pass', '$clear', '$url')";

// 3.  Perform the query
$result = odbc_exec($db, $query);

odbc_close($db);

I don't think it, the database even used the slashes to begin with when I executed the above statement, and so it's probably why the other script had issues when I was quering using it.

It's really quite odd, I'm trying to add some level of security so I thought the addslashes might be a good way to go.

Mark

dont think this will help much but why did you do this?:

// Start the login session
$SESSION['name']=$name;
$SESSION['pass']=$password;

why the ='s?

this should work..
// Start the login session
$SESSION['name'];
$SESSION['pass'];